This issue describes a potential roadmap for the integration of pip-audit into pip as a pip audit subcommand, as well as potential blockers.
This top-level comment will be edited as the roadmap is updated and progresses. Comments to this issue will describe progress on the roadmap for subscribers.
[x] Transfer this project to the PyPA
[ ] pip supports a vulnerability API that isn't the legacy JSON API
[ ] pip-audit needs to support being vendored by pip and 'mounted' as a subcommand
[ ] audit all our sub-dependencies and determine if we will introduce any new pip sub-dependencies, or if that can be avoided
[ ] a method to minimally restrict what parts of our command API are available via pip audit, which would allow us to slowly introduce existing pip-audit features into pip audit rather than all at once.
[ ] similar to the above: features that should not be part of the pip integration need to be marked and gated during vendoring, e.g. our current CycloneDX SBOM support
[ ] pip-audit and necessary dependencies are vendored into pip
[ ] new release of pip with support for pip audit
I think the core functionality we'll want to support is:
Auditing the local environment: pip audit
Auditing a requirements file: pip audit -r <filename>
Auditing a source tree for a Python project: pip audit .
Output in formats that pip currently supports (e.g. JSON, text/columns)
Things that pip-audit supports that pip audit may want to support eventually but don't need to be included in the initial release:
Automated fixing/remediation (--fix)
Output in formats that pip doesn't currently support (e.g. SBOM format)
Things that pip-audit supports that pip will likely never support:
Support for non-PEP 691 compliant APIs (e.g. legacy JSON, OSV)
Added another sub-item to the "needs to support being vendored by pip" task to reflect that we need to completely "fuse off" some functionality, but otherwise this roadmap LGTM!
This issue describes a potential roadmap for the integration of
pip-audit
intopip
as apip audit
subcommand, as well as potential blockers.This top-level comment will be edited as the roadmap is updated and progresses. Comments to this issue will describe progress on the roadmap for subscribers.
pip
supports a vulnerability API that isn't the legacy JSON APIpip
for PEP 691: https://github.com/pypa/pip/pull/11158pip-audit
supports PEP 691 + future PEP instead of legacy JSON API for PyPIpip-api
needs to support being vendored bypip
and using internalpip
API instead of CLIpip-audit
needs to support being vendored bypip
and 'mounted' as a subcommandpip
sub-dependencies, or if that can be avoidedpip audit
, which would allow us to slowly introduce existingpip-audit
features intopip audit
rather than all at once.pip
integration need to be marked and gated during vendoring, e.g. our current CycloneDX SBOM supportpip-audit
and necessary dependencies are vendored intopip
pip
with support forpip audit
I think the core functionality we'll want to support is:
pip audit
pip audit -r <filename>
pip audit .
pip
currently supports (e.g. JSON, text/columns)Things that
pip-audit
supports thatpip audit
may want to support eventually but don't need to be included in the initial release:--fix
)pip
doesn't currently support (e.g. SBOM format)Things that
pip-audit
supports thatpip
will likely never support: